pixel_dreams - Fotolia
The HTML5 vulnerabilities enterprises need to know
Adobe Flash's end of life is coming, but there are some HTML5 vulnerabilities enterprises should be aware of before making the switch. Expert Judith Myerson outlines the risks.
Adobe Flash Player will reach end of life in 2020. In its announcement of the decision, Adobe urged users and developers to migrate content to other formats, specifically citing HTML5. Adobe said HTML5 and other open standards, "have become an alternative for content on the web," though there are some HTML5 vulnerabilities to consider.
HTML5 has features that make it easier for developers to create websites running videos in different formats for different browsers for desktop, tablets, smartphones, gaming and television. It is more flexible than ActionScript, a programming language that is executed by the Adobe Flash Player. Flash is not supported on all mobile devices, such as the iPhone or iPad.
YouTube already dropped Flash as the default in favor of HTML5. HTML5 adopted adaptive bitrate streaming to let the site change video resolution for viewers based on network quality. This technology enables people to live stream their play sessions on Xbox One. WebM with VP9 codec works well on YouTube.
However, HTML5 doesn't entirely replace Flash. It can't support the video streaming that Flash uses for video conferencing. It can't interact with a webcam and record audio from a microphone. HTML5, on its own, cannot be used for animation or interactivity. It needs CSS3 or JavaScript to accomplish either.
HTML5 enables a developer or technically savvy network administrator to specify videos in different formats for different browsers. But is HTML5 safe to use as a replacement for Flash? There are some HTML5 vulnerabilities, but there are ways to mitigate or prevent them.
Readable source code
The first of the notable HTML5 vulnerabilities to be aware of is that the source code of unencrypted HTML5-based webpages is readable in any browser. Being able to view header, section, article and video tags makes it easier for attackers to locate video files. Here's an example:
<video width="320" height="240" controls>
<source src="movie.mp4" type="video/mp4">
<source src="movie.ogg" type="video/ogg">
<source src="movie.webm" type="video/webm">
</video>
The three video files supported by HTML5 are listed in plain view. The browsers detect which video can be played on which devices, from desktop computers to tablets and mobile phones.
Safari and Microsoft browsers don't provide support for Ogg with Theora and WebM with V8/V9. The more popular MP4 files run in all browsers, including Firefox, Opera and Chrome. They can be downloaded quickly over the internet. A third-party video player, like VLAN, can convert AVI files into MP4 files.
In a simple scenario, an attacker sees video files in the source code of the victim's webpage. After a video player is turned on, the attacker uses a video editor to make a copy. Some frames are replaced with malicious look-alikes. After escalating privileges over the affected Wi-Fi or internet connection, the attacker removes the victim's video and replaces it with the malicious video. The victim discovers too late that the affected video doesn't play properly or at all, or that it is part of the attacker's botnet.
Partial security support
Another one of the HTML5 vulnerabilities is in its security support. HTML5Test, a popular web application, gives test scores on how well the browsers perform when running the HTML5 source code. The winner is Opera 45, with a score of 518 out of 555 points. Second place is the desktop Edge 16. Internet Explorer received the lowest points, with 312 for version 11.
Up to five browsers can be compared to a list of 40 desktops, 20 tablets, 15 smartphones and three gaming browsers to find out which browser gets more or less points on security.
The most obvious browser vulnerability is that most browsers have not implemented web authentication/FIDO (Fast Identity Online). Firefox 54 and Xbox One are known to have partially implemented it. The World Wide Web Consortium has not completed its standardization of web authentication based upon the FIDO 2.0 Web APIs, which would enable strong authentication across all web browsers and related web platform infrastructures.
Improper implementation
The last of the HTML5 vulnerabilities is that security issues occur when multiple facets of HTML5 are not securely implemented. These include communication APIs, like web messaging and web sockets; storage APIs; geolocation; web workers; and sandboxed frames and offline applications.
An attacker could inject malicious code into the web worker that, for example, could run in a never-ending loop in the background and adversely affect the performance of a video player. A sandboxed frame could be injected to maliciously block automatic playing of a video. Compromised video files could be stored in a local storage or client-side database.
In addition, a web message could be maliciously altered and sent to the wrong target. A web socket is open to denial-of-service (DoS) attacks. It allows an unlimited number of connections to the target server, and resources on the server can be exhausted because of a DoS attack.
Securing video files
There are some ways to protect against these HTML5 vulnerabilities and make sure it is secure enough, including:
- encrypt HTML5 source code and make it impossible for people to read using something like Encrypt HTML Pro;
- install a filtering utility to remove malicious code, like HTML Purifier;
- update or patch wireless routers and Bluetooth devices;
- restrict the permissions for untrusted code;
- prevent printing or copying of source code;
- change default administrator passwords;
- tag inputs from any unreliable sources and don't allow them to run;
- visit HTML5Test to test security support for your browsers; and
- run HTML5 with HTTPS.
To further enhance HTML5 security, then Open Web Application Security Project recommends using the following HTTP headers: X-Frame-Options, X-XSS Protection, Strict Transport Security, Content Security Policy and Origin.
Conclusion
The death of Adobe Flash will no doubt be a welcome development for many security-minded enterprises, but the most popular alternative is not immune to bugs and weaknesses. Organizations should be aware of common HTML5 vulnerabilities and stay up to date on patches and other security issues.